Around RSA

Tales from the Black Hat NOC: Setup in London

Nov 03, 2016 | by Dave Glover |

Arrival into London went without a hitch. I then took the train to Angel station and walked to the Business Design Center, which is my home for the next week, during the Black Hat Europe 2016.

After walking through the doors and finding my way I was greeted by a room full of boxes.

Time to get to work and unpack the RSA Netwitness Platform and get this show in the road.



Unlike the "luxurious" bell cart rack that we had in Las Vegas for Black Hat USA, we had to stack the appliances on a pelican case.

Server Rack

The equipment that will be performing the work is the following:

  • RSA Netwitness Head Unit
  • Log Hybrid
  • Packet Hybrid
  • Malware
  • Event Stream Analysis (ESA)
    • In our case the ESA is critical for advanced machine learning C2 detection.

Once all the equipment was "racked" and powered on, we performed the RSA NetWitness 10.6.2 upgrade (more on that in a later post by Mike Sconzo).

The deployment went without a hitch, and, once we were set up - logs were sent from the Fortinet Firewall as well as the Fortinet Access Points. With these logs we were quickly able to highlight connections to malicious sites as well as machines that were possibly downloading viruses. In addition, Fortinet firewalls are able to categorize all web traffic, which in provides us with a starting point when examining the traffic patterns.

Log Dashboard

Packets were a bit of a different story... Periodically, I get asked about the placement of the network taps. Most of the time, taps are placed between the firewall and internal network, in order to provide the highest level of visibility. In rare cases, and as was such at Black Hat Europe initially, the taps are placed between the firewall and the internet. The challenge with this deployment is that all source IPs are the firewall and without logs there is no ability to see the true source IP as it is NAT'd through the firewall. So best course of action is always to deploy the taps between the firewall and the Lan for maximum visibility.

Let the fun begin...